In a recent short blog entry, I pointed you to Wayne Rash's column and added a few suggestions of my own. A friend was singulary unimpressed. I suspect that it is because Wayne's column -- and my enthusiastic support of it -- isn't "the sky is falling" enough for some security folks. Maybe I am getting too old for this. I rather believe that after 18 years of doing this, I have a good sense of real risk. There is a sense that "a little paranoia is a good thing" in network security. That is wrong. Paranoia is a disorder. It is irrational. A clear sense of real risk is what we need.

All to say, here is another call for calm that my friend might not like as posted in The Register.

1/21/05

Wireless hotspots are ... well, hot. And they can be safe for computing with a bit of care on your part. Wayne Rash at CMP has excellent suggestions in his column at www.securitypipeline.com/57702370. I have a few additions, which I hope are obvious.

PC firewall. You have it running all the time, also, on your portable PC, right?

A wireless hotspot with its lack of confidentiality on the connection leaves your communications open to snooping (which Wayne covers). It also might make your system an attack target. Make sure your PC firewall knows that you are now in untrusted territory. You may have set it as "trusted" when working at home or the office.

1/8/05

In June 2003's NetSec Letter #27, "Spam Control," I described various methods of controlling spam, including my set-up. I gave an update in my blog entry "My Current Spam Barrier." Since then I have made some changes, which I describe here.

First, I want to briefly (for detail see the above URLs) remind you of what I've done, and tell you why I made a change. While I receive e-mail through the mail servers for Avolio Consulting (avolio.com), I have an ISP for connectivity to the Internet from my home and office. I decided mail would flow like this:

Internet → avolio server → ISP → mailbox@ISP

I did this because the ISP provided a web interface for when I was away from my e-mail client, and because the ISP has a full-time staff of people doing backups and otherwise maintaining the e-mail servers... I guess.

An added benefit was that the ISP filtered mail through a spam-catcher. It was very effective. Any spam that got through to that mailbox was stopped. And it was extremely rare that any nonspam was misfiled. So reliable was it that I just stopped checking the Spam folder.

So, why did I change? The ISP implemented what seemed to me to be a malfunctioning sender verification system. Daily, I found e-mail delayed in my avolio.com queue waiting to deliver to my ISP mailbox due to a sender verification problem. Sometimes it was spam (so, it was doing its job). Often -- usually -- it was legitimate e-mail. Further, it was e-mail from addresses that had previously worked. Finally, one day came the straw the broke this camel's back, with 3 messages from a friend delayed. I stopped forwarding e-mail to my ISP mailbox. And started to get a bunch of spam.

You see, the things I had put in place were fairly effective. But, not effective enough. The ISP's spam filter was picking up the slack for what I missed with PostFix and Spamassassin. I needed to add something more.

The something I added is greylisting. It is described in Evan Harris' whitepaper " The Next Step in the Spam Control War: Greylisting." Simply put, it looks at the IP address of the host attempting the delivery, the envelope sender address, and the envelope recipient address. "If we have never seen this triplet before, then [we] refuse this delivery and any others that may come within a certain period of time with a temporary failure." This works because "Any well behaved message transfer agent (MTA) should attempt retries" if given a soft error message (a 400-level error, such as one meaning "service unavailable, try later"). This delay only occurs the first time an attempt is made. So, it only affects the first ever attempted delivery from a particular IP address from a particular sender, to a particular user's mailbox. All other attempts breeze through.

I won't go into more detail than this; read the paper. I am currently implementing this in PostFix using the a greylisting extension. And, it is great. I've dramatically reduced the incoming spam. I've also cut down the number of spam messages I used to catch in my spam "hold" box (see my previous blog, mentioned above) from roughly 100 a day (remember, these were quarantined for me to quickly check out and toss) to under 10 a day, and sometimes none. I've also gotten no complaints from users about missing mailing list e-mails, nor from senders complaining about e-mail bouncing. A review of the mail logs indicate that legitimate (non-spam) e-mail that is greylisted is retried by the sending system in an hour, and some systems retry in 10 minutes.

Why this blog entry then? I want to simply spell out what every home PC should have in a form that you and I can send out to relatives and friends.

Every home PC should have the following:

Antivirus software. You know this. Surely you have it. If you do not, you are foolish. Keep it up to date. It's worth the money. Really it is.

Personal Firewall. Use a free firewall, such as ZoneAlarm (that's what I use) or any others you find at www.personalfirewallday.org/firewall.html. If you run Windows XP, enable the firewall that comes with XP. Your antivirus vendor might have a deal with bundled AV and personal firewall. Check it out.

Spyware removal software. This is a new (over the last year) problem, and one that many home-users are ignoring. Don't have spyware? I bet you do. Ever click on something that said "Click here to speed up your Internet connection?" Ever install "free" software? Maybe you've added a neat item on your toolbar that shows the weather or stock reports. Computer running slower and slower? Are you now plagued with pop-up advertisements? There is a good chance you have some spyware running on your computer.

The University of Maryland has a "Basic Windows Computer Security" page at www.helpdesk.umd.edu/documents/4/4018/. You'll not be able to download software, but the recommendations are excellent (and I've already pointed you to some downloads).

Be careful out there.

Oliver (no last name given) commented, "SpyBot installs 'DSO Exploit'" I find no evidence of that, just that earlier versions tagged this exploit but could not deal with it. Everything I see says Spybot gets good grades.

It is worth pointing out that most people recommend using two different products for countering spyware (for example, both SpyBot and Ad-Aware.

Be careful you get the correct software. Some companies put tags on their webpage such that if you do a search for one product, a competitor's product shows up. This is not merely the search engine company helping you out. It is "deceptive marketing practices," as Dave Piscitello says in his weblog. See entry #336 in the spam and spyware section of his weblog.

An example of something similar, not as sleazy, but nearly as obnoxious... Type "adaware" (note no hyphen -- the product is Ad-Aware) in a Google search and the first thing that you get is a sponsor's (i.e., paid advertiser) link to something called "NoAdware"" indicating it is the "2005 highest rated spyware remover." Hmmmm. 2005 is 6 days old as I type this. Must have been a quick test. It does not say that on the web page -- not that I can see -- but in the advertisement on Google it does. On the web page it says, "21,756,915 downloads by people in over 100 countries as of 04:02PM EST, Jan 06, 2005." I wonder how many of them thought they were getting Ad-Aware? This product might be great. I just don't like this practice. But, then Dave did point out that they were infamous in other places. For example, they show up in the The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites.

A friend was spending part of his day last week cleaning up malware (adware, spyware) from a home computers, including his business computer in his home office. (Search for "spyware review" will turn up a lot of sites including this review in PC Magazine. Friday, he IMed me the following:

Remember I told you I was battling spyware and the like? Well, my debit card was denied yesterday. I checked the bank statement on-line and found an unexplained charge for over $1K from [name1 omitted]. Turns out I made a legit purchase from [name2 omitted] for $100 and some trojan program tagged along and xferred over $1K to someone else's account at [name1 omitted]. They tagged it as suspicious and blocked further withdrawals. I talked to them and they will refund (and I hope will prosecute).

Now, this wasn't your average spyware... or was it? It did what any spyware/adware/malware can do. It just did something illegal.

... What is the cost of enumerating viruses and malware and running antivirus software ($19/year/desktop...) versus the cost of telling the system exactly what code you want to allow to run. (Hmmm, let's see - I could define my desktop computer's "allow" list in 3 seconds: Eudora, Opera, Photoshop, Powerpoint, Word, and directory toolkit) The obvious answer is "default deny" rather than "default permit and block/enumerate all evil."

Good idea. Where can I (average consumer) buy it? And will any average consumer want to run it?

On the list, Marcus suggested:

There are a few products out that do this. Citadel has a pretty cool package ( SecurePC) that's designed for kiosk applications. I've considered using it as a lock down tool for my laptop but the tool is a bit more "enterprisy" than I need. I think it's designed for locking down ATMs and stuff like that from a central point. What I want is something that has a ZoneAlarm-like "smart interface" that lets me reverse-engineer a policy over time.

A reader sent me a Google-discovered link to http://force.coresecurity.com/. It is in a beta-test period, apparently. The screenshots indicate program-level control (what can execute) as well as authorization (what that program may do). It may also be worth a look.

It is very happy (and effective) on my wife's Win2K computer. The kids go "various places" on it an tend to pick up barnacles, which seem to have a much tougher time now. I passworded the PrevX console so they can't just click "shoot me" as easily. And the best news was that it didn't break anything. :-)

1/5/05

In an e-mail exchange with Dave Piscitello today, he asked about RSS Newsfeed readers. I mentioned that I still use Eudora, but have been recommending Mozilla's Thunderbird. He mentioned moving to a different e-mail client, and wrote

I am disappointed that I have to give up PGP but could not reasonably continue to purchase $100-200 worth of email and security software for the purpose of communicating with 9 people. What a sad indictment on the state of email security, huh?

Sad is not the word. Elsewhere on my web site are articles and columns I've written about e-mail security and e-mail security products. The earliest one is from mid-2000. And now, in 2005, we still do not regularly use secure e-mail! What are we thinking?

A year or more ago, I captured all these columns and articles on one page, The Secure Email collection. I am shocked that they are still relevant.

1/3/05

When my daughter came him from college for Christmas break, she brought her Windows XP Professional computer with her. She also brought some problems.

The computer worked find at school. But, when she installed it on our network, the first thing she noticed was she had no network connectivity. She could "see" other computers on the home network -- the "network neighborhood -- but could not "get out." Neither could she connect via TCP/IP to other systems on the home network. Having just recently dealt with similar symptoms on a Windows 98 system at home, I suspected spyware. Sure enough, when I installed both SpySweeper and SpyBot Search & Destroy, they reported numerous problems. I cleaned up the problems, and ... well, it was still broken. Remembering what I had just recently done with the '98 box, I tried to remove TCP/IP from the system. But, this is impossible (as far as I am able to tell) under XP. It is "an integral part of the system" and cannot be removed.

To make a long story short, I fiddled with the registry, and promptly broke things worse. Now, networking was completely broken. All I wanted to do was to reinstall the networking components of Windows. Simple, no? Simple under UNIX. Not in XP. It looked like all I could do was to reinstall Windows XP, and the only way to reinstall is to first format the partition. All her CDs of installed software were back at college. I saw that as an absolute last resort. (Although, with the working CDRW drive, I could have copied off her personal files and settings.) My friend Rick (back at DEC, when all else failed, we'd get him to lay hands on a seemingly dead computer to bring it back to life) offered to play with if if I dropped it off. I was reluctant to make the drive to Northern Virginia. I hated more to take up his valuable time (of which he gave a lot when I was struggling with the '98 system).

Another friend, Peter, came by with his family on New Year's Day. He inquired after my daughter's machine. I said, "Still dead... want to take a look before dinner?" After fiddling around until "Dinner!" was called, he made a suggestion: import good registry entries from my working XP Pro machine. A week ago I had run a program Rick found that claimed to add good registry entries to replace broken ones. I am not sure what entries the program replaced. I replaced, exporting from my registry and importing onto hers, (from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\) tcpip, dhcp, winsock, and winsock2. For good measure, I again uninstalled the network adapter from the hardware profile (using device manager).